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The present invention relates to a method of monitoring the operation of at 
least one microcontroller unit that is intended for at least one application and is associated 
with a system. 

The present invention further relates to a base chip, and particularly a system 
5 base chip, for monitoring the operation of at least one microcontroller unit that is intended for 
at least one application, and to an associated system, and particularly a control system. 



One of the most important hardware signals in a control unit is the reset signal, 
the purpose of which is to reset the application hardware in the event of system faults. In 

10 certain applications, provision is even deliberately made by the user for the hardware to be 
reset, for example to enable parts of the program to be started in a microcontroller with the 
software in a set, ordered state. 

However, as far as prescribed resetting is concerned, there is no feedback in 
existing applications on whether the resetting of the microcontroller has actually taken place 

15 or whether there is, say, a break in the reset line to the microcontroller. Hence, in the prior 
art, it is not possible for breaks of this kind in the reset line to be detected. 

In this connection, even the so-called "watchdog" function that existing system 
chips have is powerless to help. If, for example, the system chip triggers a reset in ongoing 
operation but the reset signal in question fails to arrive at the microcontroller due to a break 

20 in the line, then the microcontroller will simply continue to operate the monitoring module 
(the so-called "watchdog" unit) in the system chip, and the software will continue running, as 
if there had not been any reset in this case. Consequently, the application software and the 
monitoring module will then be running out of synchronization with one another and there 
will no longer be any guarantee of the system being safe and reliable. 

25 

Taking the disadvantages and shortcomings described above as a point of 
departure and with due allowance for the prior art outlined, it is an object of the present 
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invention so to further develop a method of the kind detailed in the first paragraph and a base 
chip of the kind detailed in the second paragraph that failure of the reset function is reliably 
detectable and the conclusions that need to be drawn for system-related reasons can be 
drawn. 

5 This object is achieved by a method having the features specified in claim 1 

and by a base chip having the features specified in claim 4. Advantageous embodiments and 
useful refinements of the present invention are described in the respective sets of dependent 
claims. 

The present invention is therefore based on the microcontroller having at least 
10 one monitoring module associated with it; the fact that a reset of the microcontroller unit has 
taken place is acknowledged or signaled to this monitoring module by means of at least one 
confirming signal. 

Under the teaching of the present invention, it is further proposed that at least 

one monitoring module be provided in the application, and in particular in at least one base 
15 chip and specifically in at least one S[ystem] B[ase] C[hip]. In accordance with the invention, 

there thus exists a system chip having a reset handshake, that is to say a means of 

acknowledgement for the reset function. 

In a preferred embodiment of the present invention, it is proposed that 

different signals or different codes are used for triggering the watchdog monitoring module. 
20 As a function of the history that has led to a reset occurring, the application microcontroller 

must use different signals or different codes to confirm to the system chip that it has 

undergone a proper reset. 

The normal cyclic access to the watchdog unit thus differs fi-om an access after 

a reset event has taken place. Hence, if for example the system chip transmits a reset signal to 
25 the application, then the application must respond once with a special, differing signal or 

code. If it fails to do so, it can be assumed that there is a break in the reset line to the 

application or that the line is otherwise disrupted. The system chip may, for example, then go 

to a fail-safe mode in which current consumption is low. 

In preferred embodiments of the present invention, there are in practice 
30 various possible ways of triggering a watchdog unit. In the simplest case, a hardware signal 

that has a pulse applied to it cyclically may be taken direct from the microcontroller unit to 

the watchdog unit. In more complex system chips on the other hand, use may be made of at 

least one serial interface unit to trigger the watchdog unit. 
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Regardless of the type of triggering, it is possible, in accordance with the 
invention, for distinctions to be made between the triggering events. When hardware signals 
are used, codings of the pulses may usefully be employed. The possibility also exists of 
switching a plurality of trigger signal lines. For system chips having a serial interface, one 
5 possibility that suggests itself is to use different serial words to distinguish between the 
watchdog accesses. 

In accordance with the present invention, all the components required for 
developing a fail-safe system are available to the user. What is particularly advantageous is 
the flexibility of the present approach, because there are no fixed preset automatic functions 
10 that have to be incorporated in the S[ystem] B[ase] C[hip]. This allows the safety scheme for 
an application to be adapted and adjusted in the optimum manner and to be defined and/or 
scaled by the user in any desired way. 

Finally, the present invention relates to the use of a method of the kind 
described above and/or of at least base chip of the kind described above for monitoring the 
15 operation of a microcontroller imit intended for at least one application, in automobile 
electronics and particularly in the electronics of motor vehicles. 



As has already been described above, there are various possible ways in which 
the teaching of the present invention may advantageously be embodied and refined. On the 
20 one hand, reference can be made in this connection in particular to the claims dependent on 
claims 1 and 4, and on the other, further aspects, features and advantages of the present 
invention are apparent from and will be elucidated with reference to the illustrative 
embodiment shown in Fig. 1 and described hereinafter. 

25 

In the drawings: 

Fig. 1 is a block diagram of an embodiment of system according to the present 
invention having a base chip and a microcontroller unit. 



30 



Shown diagrammatically in Fig. 1 is a control system 100 that, as well as a 
microcontroller unit 300 having a supply imit 310 (providing the VDD supply), a reset unit 
320 and an l[nput]/0[utput] module 330, also has a so-called S[ystem] B[ase] C[hip]) 200 for 
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monitoring the operation of%the microcontroller unit 300, the said microcontroller unit 300 
being intended for an application. 

For this purpose, the system chip 200 has, amongst other things, a monitoring 
module (= watchdog unit) 10 to which the fact that a reset of the microcontroller unit 300 has 
5 taken place can be acknowledged by means of a confirming signal, thus enabling a so-called 
"reset handshake" function to be implemented. In other words, what this means is that the 
watchdog unit 10, having emitted a reset command, receives a confirmation of the reset event 
from the application; in this way the monitoring module 1 0 shown in Fig. 1 makes it possible 
for broken reset lines 42 to be detected and logged. 

10 In this connection, the system chip 200 supports a trigger signal that differs 

from normal operation or a trigger code that differs from normal operation to allow the 
success of the reset to be confirmed by the application. Consequently, failure of the reset 
function can be reliably detected and in particular it can be detected whether or not the reset 
signal for the application system was successfully received. 

15 In the implementation shown in Fig. 1 , provision may be made for the system 

chip 200 to permit a differing trigger signal only once after a reset command has been 
emitted. If the reset is not acknowledged once with the differing trigger signal or if the 
differing trigger signal is received without a prior reset, the system chip 200 goes to a fail- 
safe state to enable any potential further faulty behavior by the application to be prevented 

20 under any circumstances. 

Because the system chip 200 permits a distinction to be made between 
different reset events and the events to be made accessible to the application microcontroller 
300, the system chip 200 has an information unit 20 (for reset source information) that is 
provided to allow for different reset events and a reset unit 40 (for system resets) that is 

25 connected to the microcontroller unit 300 by a connection 42 (going to the reset unit 320 of 
the microcontroller unit 300). 

To allow information and signals to be exchanged, the monitoring module 1 0 
and the information unit 20 have inserted in front of them an interface unit 30 (feeding the 
l[nput]/0[utput] module 330 of the microcontroller unit 300). 

30 As is also apparent from what is shown in Fig. 1, the monitoring module 10 

and a microcontroller supply unit 50 that is connected to the microcontroller unit 300 by a 
connection 52 have permanently associated with them at least one battery unit 400. Whereas 
the monitoring module 10 receives a permanent supply from the battery 400, the 
microcontroller supply unit 50 can be switched on and off via a switch 54, thus enabling a 
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temporary energy supply to be associated with the microcontroller unit 300 via the 
microcontroller supply unit 50 (supplying the VDD supply unit 3 10 of the microcontroller 
300). 



wo 03/104991 

LIST OF REFERENCE NUMERALS: 



PCT/IB03/02113 



100 System, in particular a control system 

10 Monitoring module, in particular a watchdog unit 

12 Connection between monitoring module 10 and information unit 20 

20 Information unit 

5 24 Connection between information unit 20 and reset unit 40 

30 Interface unit 

32 Connection, particularly a signal line, between interface unit 30 and 

microcontroller unit 300 

40 Reset unit 

10 42 Connection between reset unit 40 and microcontroller unit 300 

50 Supply unit 

52 Connection between supply unit 50 and microcontroller unit 300 

54 Switch of supply unit 50 

200 Base chip, in particular system base chip 

15 300 Microcontroller unit, in particular an application microcontroller 

3 1 0 Supply unit for microcontroller unit 300 

320 Reset unit for microcontroller unit 300 

330 l[nput]/0[utput module of microcontroller unit 300 

400 Battery unit 



